Difference between revisions of "Authentication Service 2.0"

Revision as of 17:22, 10 September 2009

This page describes a new network Authentication Service 1.1.

Objective

A new service that performs authentication of selector clients and issues an access token that can be consumed by both the Higgins Selector (e.g. GTK Selector 1.1-Win) and all of its various supporting services including the I-Card Service 1.1, CardSync Service 1.1.

Background

At present authentication is performed within the RPPS Package within the I-Card Service. Here are some implications:

In deployments where the I-Card Service and CardSync Service are co-resident, the CardSync Service can rely on this same authentication capability within RPPS Package. However if these services are deployed separately, the [[CardSync Service will have no way to authenticate the selector client.
As we move towards Higgins 1.1 other new services may be added that also need to authenticate the selector client. With the current design this is difficult.
We can envision deployment architectures where organization A would host the authentication service, and organization B would host the others. By having a separate authentication service, this deployment option becomes available.

High Level Requirements

Functionality:

Accepts authentication materials, evaluates them, if acceptable generates an access token that it returns to the consumer/client
Can authenticate "serialized" selector clients to this service
- Input from client: selectorId + proof of possession of a secret key

Implementation characteristics:

RESTful web service
Security is critical
Uses open standards where possible (e.g. OpenID/OAuth etc.)

Compatibility:

Can be used as the authentication service of an OpenID "OP" (IdP)

@@ Line 27: / Line 27: @@
 Compatibility:
 #Can be used as the authentication service of an OpenID "OP" (IdP)
-==Implementation==
-=== Service ===
-* First version should be an OpenID OP and use OAuth for returning the access token
-* Would authenticate using a combination of (i) a manually typed in un/pw + (ii) POP of a client-serialized-key + (perhaps) (iii) some digital fingerprint data from the machine
-* Returns access token in browser redirect
-=== Selector changes: LICS Authentication ===
-Changes required to the un/pw login dialog box:
-* Allow the user to login not just with a "local" un/pw approach, but also via one of a number of trusted OpenID providers.  This would mean that the user could choose between "local" login (today's approach) or by clicking on 1..N buttons that represent OpenID or SAML IdPs.
-* The login module would initiate an OpenID/OAuth interaction with the IdP. It would only initiate OpenID/OAuth to hard-coded list of IdPs.
-* The login module would (through browser redirect back) end up with an access token
-* The [[Local I-Card Service Package]] would send this access token (in addition to proof of possession of a serialization key) on every message to the [[I-Card Service 1.1]], [[CardSync Service 1.1]], [[IdAS Proxy Service 1.1]] and the [[Attribute Service 1.1]] "meta" Context.
-While we're making changes to the login module:
-* There could be a checkbox: "Clear all data from this machine when quitting this application". If checked, the LICS would delete all locally stored data from the machine when the Azigo app quit.
-=== Changes to Selector-Supporting Services ===
-The [[I-Card Service 1.1]], [[CardSync Service 1.1]], [[IdAS Proxy Service 1.1]] and the [[Attribute Service 1.1]] would all need to be changed to rely on the access token generated by the [[Authentication Service 1.1]] for authentication.

Breadcrumbs

Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Difference between revisions of "Authentication Service 2.0"

Revision as of 17:22, 10 September 2009

Objective

Background

High Level Requirements